'123456' Leads The Worst Passwords Of 2016

New report analyzes trends in more than 5 million passwords stolen from enterprises and leaked to the public last year.

It may be a ho-hum fact for many longtime security practitioners, but it nevertheless remains a fact that most users' password hygiene stinks. And since the needle on this matter moves about as much as a speedometer needle on an engineless car, the topic clearly bears revisiting. This time the reexamination of poorly chosen password comes by a recent report by SplashData on the worst passwords of 2016.

The team at SplashData took a look a look at more than five million passwords that were stolen from enterprises and leaked to the public last year to get a feel for the types of authentication secrets people use in real world. The results aren't pretty. According to the firm, the most common passwords are also ridiculously insecure - both from a prevalence and ease of guessing standpoint.

Tops on the list was "123456," which makes up about 4% of the sample set, followed closely by "password." In its entirety, the list shows that users continue to favor simplicity and convenience over security of their accounts:

123456

password

12345

12345678

football

qwerty

1234567890

1234567

princess

1234

login

welcome

solo

abc123

admin

121212

flower

passw0rd

dragon

sunshine

master

hottie

loveme

zaq1zaq1

password1

Also troubling is that the list is littered with many more trivial variations of the top two offenders, with six sequential number variations and three variations of "password."

"Making minor modifications to an easily guessable password does not make it secure, and hackers will take advantage of these tendencies," says Morgan Slain, CEO of SplashData, Inc.

In fact, 2016 also offered up the perfect anecdotal evidence to show the dangers of crummy passwords: the Democratic National Committee (DNC) hack was laid partially at the feet of a negligently chosen password. WikiLeaks' Julian Assange claims that John Podesta, chairperson of Hillary Clinton's 2016 campaign, used a "password" variant for one of his systems, and other reports show that Podesta used a slightly more sophisticated but still easily hacked "Runner4567" for several others.

It was that second gaffe that allowed attackers to take over multiple online accounts in a fell swoop, and which illustrate the fact that choosing a quality password is just one part of password hygiene.

In a recent interview, Facebook CSO Alex Stamos claims password reuse is one of the biggest online dangers to user accounts.

"The biggest security risk to individuals is the reuse of passwords, if we look at the statistics of the people who have actually been harmed online. Even when you look at the advanced attacks that get a lot of thought in the security industry, these usually start with phishing or reused passwords," he said in an interview with TechCity.

In fact, a report out last week from Shape Security reports that reused passwords are fueling a credential-stuffing hacking bonanza online today. The firm released a report that showed 90% of today's enterprise login traffic comes from attackers automatically trying passwords stolen from one site in login screens at other sites in order to takeover accounts.

Shape reports that they're successful about 2% of the time--a very lucrative rate when they play the numbers game with millions of stolen credentials stuffed across hundreds of sites online.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio

What a shocker! Users are lazy and use convenient and easy to memorize passwords. Corporations, for which protecting sensitive data is vital, password management solutions that would enforce a combination of alphanumerical, symbol and Caps letters would be a first step. identity governance and user behavior are a must.

Okay, it is time to publicly admit that PASSWORDS are not working as a method of authentication. It doesn't matter how many times you flog a dead horse, it isn't go to get up and run the golden mile and let you win big - the same goes for passwords folks. So, where to next??? We are overdue a replacement for passwords that will be end user friendly and simple. Let's face it people, we humans are inherently lazy. Ideas people......

The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.

Philips iSite and IntelliSpace PACS, iSite PACS, all versions, and IntelliSpace PACS, all versions. Default credentials and no authentication within third party software may allow an attacker to compromise a component of the system.

Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perfo...

Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges...